From 90dc7f853d31b0a4e9441cba97feccf36d8b69a4 Mon Sep 17 00:00:00 2001
From: Aurelien David <aurelien.david@telecom-paristech.fr>
Date: Tue, 6 Mar 2018 11:23:31 +0100
Subject: [PATCH] fix some exploitable overflows (#994, #997)

---
 include/gpac/tools.h         | 1 +
 src/isomedia/avc_ext.c       | 2 ++
 src/media_tools/av_parsers.c | 4 ++++
 3 files changed, 7 insertions(+)

--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/include/gpac/tools.h
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/include/gpac/tools.h
@@ -999,6 +999,7 @@ void gf_fm_request_call(u32 type, u32 pa
 }
 #endif
 
+#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
 
 #endif		/*_GF_CORE_H_*/
 
--- gpac-0.5.2-426-gc5ad4e4+dfsg5.orig/src/media_tools/av_parsers.c
+++ gpac-0.5.2-426-gc5ad4e4+dfsg5/src/media_tools/av_parsers.c
@@ -2160,6 +2160,10 @@ s32 gf_media_avc_read_sps(const char *sp
 		sps->offset_for_non_ref_pic = bs_get_se(bs);
 		sps->offset_for_top_to_bottom_field = bs_get_se(bs);
 		sps->poc_cycle_length = bs_get_ue(bs);
+		if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) {
+			GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
+			goto exit;
+		}
 		for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
 	}
 	if (sps->poc_type > 2) {